keytab created on MIT KDC with des3 enctype does not work with heimdal

Russ Allbery rra at
Thu Jun 8 20:40:49 EDT 2006

Arati Desai <artipdesai at> writes:

> I have a kerb5 setup with MIT KDC and heimdal client
> APIs to perform kerb5 authentication. I have created
> principals without specifying any keysaltlist. A
> keytab is created by running ktadd. klist shows-

> -bash2-2.05b$ sudo ktutil -k
> /tmp/ list
> /tmp/

> Vno  Type           Principal
>   5  des3-cbc-sha1  imap/ at DOMAIN.COM
>   5  des-cbc-crc    imap/ at DOMAIN.COM

> (Note: I have replace domain with actual domain name)

> With this keytab, heimdal client gives authentication
> failure. When I debugged the code I found that it is
> failing in verify_checksum function.

Read the COMPATIBILITY section of the gssapi(3) man page.  Could that be
your problem?

Russ Allbery (rra at             <>

More information about the Kerberos mailing list